-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Sep 29, 2005 at 09:21:40AM -0500, Aleksandar Milivojevic wrote: > >>>I did this successfully providing external SSH access to a collection > >>>of hosts on a private network. However for this to work, the hosts on > >>>the private net also need to be doing SNAT back out through the > >>>firewall. > >> > >>Unless you are doing something funky, SNAT is not needed. All he needs > >>is DNAT. > >>Netfilter should take care of returning packets automagically (unless, as > >>I > >>said, you are doing something funky and confusing Netfilter with it). > > > >If you have a RELATED,ESTABLISHED matching rule only. > > Somebody will probably correct me if I'm wrong, but I think restriction is > as > long as you have connection tracking module loaded. And you will have it as > soon as you call any of NAT targets (iptable_nat module depends on > ip_conntrack > module). So you don't have to have any state related rules at all. If your default rule for the related chain is DROP, then you do need the state rules. []s - -- Rodrigo Barbosa <rodrigob at suespammers.org> "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDPAsnpdyWzQ5b5ckRAh1bAKCNeRJonIkfcsrn+BXSKRFeVdSciwCfSwUc GzClzLnsyLteboKVQdSbJi0= =r2FG -----END PGP SIGNATURE-----